Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

Transcription

1 Today s Topics Introduction to Data Privacy & ediscovery General Overview Data Privacy in the United States Data Privacy in Foreign Countries Intersection of Data Privacy & ediscovery Preservation of Data Collection of Data Transfer of Data to Law Firm or Vendor Hosting of Data by Law Firm or Vendor Production of Data to Requesting Party Return or Destruction of Data 1 Data Privacy & ediscovery

2 Introduction to Data Privacy & ediscovery Understanding What Data Privacy Means is Critical to Ensuring the ediscovery Process Properly Protects Personal Information Data privacy refers to the appropriate use of personal information under the circumstances. What is personal information? Sensitive information Personally Identifiable Information (PII) Protected Health Information (PHI) Non-public personal financial information (NPPI) 2 Data Privacy & ediscovery

3 Introduction to Data Privacy & ediscovery Personal Information May Include a Wide Variety of Categories Name, gender, age and date of birth Marital status, citizenship, nationality, race, political opinion, religious beliefs Health information Veteran status, disabled status Personal address, phone number, address, social media Business address, phone number, address, social media Internal identification numbers Government-issued identification numbers Social Security number, driver s license, passport 3 Data Privacy & ediscovery

4 Introduction to Data Privacy & ediscovery Organizations are Required by Law to Protect Personal Information, but Privacy Laws Differ Among Jurisdictions In the United States, privacy laws focus on consumer protection Health, human resources, financial, education, government identifiers, online and ecommunications Presumption that the organization can use personal information unless that use is harmful or prohibited by sector-based law In many foreign countries, in particular in the European Union, data privacy is a human right Scope of what is considered personal information may be much broader than in the United States Presumption is that use of personal information is prohibited unless certain conditions are met 4 Data Privacy & ediscovery

5 Introduction to Data Privacy & ediscovery In the United States, There are a Variety of Federal and State Laws and a Variety of Government or Self-Regulatory Agencies Relevant to Data Privacy Examples of Federal & State Laws Gramm-Leach-Bliley Act (GLB Act) Right to Financial Privacy Act (RFPA) Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic & Clinical Health (HITECH) Act Children s Online Protection Act (COPA) Electronic Communications Privacy Act State Privacy and Security Breach Laws State Data Transfer Laws Examples of Relevant Regulators /Self- Regulatory Regimes Federal Trade Commission (FTC) Federal Communications Commission (FCC) Department of Commerce Consumer Financial Protection Bureau (CFPB) Department of Transportation (DOT) Securities and Exchange Commission (SEC) Office of the Comptroller of the Currency (OCC) Federal Reserve Federal & State Attorneys General Payment Card Industry Data Security Standards (PCI DSS) 5 Data Privacy & ediscovery

6 Introduction to Data Privacy & ediscovery United States Discovery Rules Assume that Relevant Personal or Private Information Must be Produced in Response to Document Requests Federal Rule of Civil Procedure 26 & State analogs recognize that protections may be necessary for certain types of data, including personal information or business sensitive information Consideration must be given to whether personal information is relevant to the litigation/investigation Protective orders are often used to ensure the protection of personal or private information in discovery U.S. courts have not been willing to excuse production based on foreign data protection laws or blocking statutes 6 Data Privacy & ediscovery

7 Introduction to Data Privacy & ediscovery In Foreign Jurisdictions, There are Different Types of Laws that Relate to Data Privacy and May Impact ediscovery Data Protection Laws: Laws designed to protect privacy in some jurisdictions they cover broader categories of data than U.S. privacy laws Blocking Statutes: Laws designed to protect sovereignty, and shield foreign nationals from intrusive U.S.-style litigation Others: State Secret Laws, Bank Secrecy Laws, etc. 7 Data Privacy & ediscovery

8 Introduction to Data Privacy & ediscovery In the European Union, Each Country s Data Protection Laws Must Comply with the 1995 Data Protection Directive (Currently Under Review) Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing of personal data Directive restricts the processing and transfer of personal data These terms are broadly defined Provides for notice to affected employees, including target of an investigation The EU Data Protection Directive binds member-states, and each EU member state implements its own data protection laws 8 Data Privacy & ediscovery

9 Introduction to Data Privacy & ediscovery Data Protection Laws or Blocking Statutes May Severely Restrict Whether and How Data May be Transferred to the United States in Response to Requests for Production Possible steps to permit transfer of data Elimination of personal data from set transferred Use of safe harbor vendors Model contracts/strict protective orders Hague Evidence Convention Blocking statutes may prohibit the transfer of data to the United States in response to litigation requests and may require appeal to foreign courts 9 Data Privacy & ediscovery

10 Introduction to Data Privacy & ediscovery Many Countries Outside the United States and the European Union Have Implemented Their Own Data Protection Laws Outside the EU, data protection law is rapidly evolving, and the EU Directive is a leading model For example, there are data protection laws in Asia (e.g., South Korea, Hong Kong and Taiwan) and South America (e.g., Peru, Argentina) There are also other foreign laws that may be obstacles to discovery. For example: People s Republic of China State Secrets Protection Banking Secrecy Laws in Singapore and Switzerland 10 Data Privacy & ediscovery

11 Intersection of Data Privacy & ediscovery Protecting Personal Information Retained by an Organization Requires Understanding how Data Privacy and ediscovery Intersect Data privacy concerns are often overlooked in litigations/investigations At each stage of the litigation/investigation life cycle, there may be an impact on: Data privacy Data security Protection of business sensitive information (BSI), e.g., intellectual property, non-disclosure agreements, commercially important information Effective management of information during the litigation/ investigation life cycle is critical to maintaining compliance with data privacy obligations, protecting an organization s valuable information, and safeguarding an organization s reputation 11 Data Privacy & ediscovery

12 Intersection of Data Privacy & ediscovery Preservation of Data Retaining data longer than record retention policies require may implicate data privacy obligations Can be considered processing under Data Protection Laws Preserve-in-place v. segregation of data for preservation may impact data security Legal holds to U.S. employees may be different than legal holds sent to non-u.s. employees Notice and consent required? 12 Data Privacy & ediscovery

13 Intersection of Data Privacy & ediscovery Collection of Data Understanding of where personal or private information may reside within the organization before collection Coordination between Legal and Data Privacy professionals Collection By Organization vs. By Outside Vendor Collection Manually vs. Use of Technology By Data Source vs. By Relevance How is data transferred within the organization? Notice and consent required? 13 Data Privacy & ediscovery

14 Intersection of Data Privacy & ediscovery Transferring Data to Law Firm or Vendor Communicating data privacy issues to Law Firm and Vendor Maintaining an audit trail and chain-of-custody Ensuring adequate protections are in place, e.g., encryption or mode of transfer (UPS, hand delivery, etc.) Consider taking additional protective measures prior to transferring any data located overseas to the United States Early filtering to minimize quantity of personal data involved Redaction/anonymization On-site/in-country review Notice and consent? 14 Data Privacy & ediscovery

15 Intersection of Data Privacy & ediscovery Hosting of Data by Law Firm or Vendor Traditionally, ediscovery vendor selection and contracting not subject to scrutiny Remember: if ediscovery vendor discloses data, the organization may be liable Treat ediscovery services as important to the organization and plan accordingly Terms of Engagement Adequate security Audit rights Indemnifications Limits of Liability Special requirements for certain data Notice and consent? 15 Data Privacy & ediscovery

16 Intersection of Data Privacy & ediscovery Production of Data to Requesting Party To Government Agency Request for confidentiality (e.g., FOIA) Special requests for private data Consider coordination with foreign governments, where applicable Redaction is not legally required to produce? To Plaintiff s/requestors Law Firm Communicate data privacy issues and risks associated with production Protective Orders 16 Data Privacy & ediscovery Attorneys Eyes Only Special Storage Requirements Redaction if not legally required to produce? Notice and consent?

17 Intersection of Data Privacy & ediscovery Return or Destruction of Data By Law Firm or Vendor Include in engagement letters or contracts Legal obligation and practical ability Ability to audit compliance By Requesting Party Include in protective orders Legal obligation and practical ability Ability to audit compliance Notice and consent? 17 Data Privacy & ediscovery

18 Questions? 18 Data Privacy & ediscovery